From owner-freebsd-security@freebsd.org Tue Dec 12 15:19:54 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4AFBE9BA96 for ; Tue, 12 Dec 2017 15:19:54 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id A318F1AC3 for ; Tue, 12 Dec 2017 15:19:54 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id 6A92C27376; Tue, 12 Dec 2017 15:19:51 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vBCFJouZ026616 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 12 Dec 2017 15:19:50 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vBCFJoqF026615; Tue, 12 Dec 2017 15:19:50 GMT (envelope-from phk) To: Karl Denninger cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <6fff232c-65c0-34bc-a950-0e79eda025c8@denninger.net> From: "Poul-Henning Kamp" References: <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> <79567.1513083576@critter.freebsd.dk> <26440.1513088888@critter.freebsd.dk> <6fff232c-65c0-34bc-a950-0e79eda025c8@denninger.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <26613.1513091990.1@critter.freebsd.dk> Content-Transfer-Encoding: quoted-printable Date: Tue, 12 Dec 2017 15:19:50 +0000 Message-ID: <26614.1513091990@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 15:19:55 -0000 -------- In message <6fff232c-65c0-34bc-a950-0e79eda025c8@denninger.net>, Karl Denn= inger writes: >> As I mentioned humoursly to you in private email, I don't think >> this particular problem will reach consensus any sooner if you = >> also tangling it in the SVN vs GIT political issue. > >Fair enough but I think my underlying point -- that svn ought to provide >the ability to distribute signed bits, and if it can't then it should >either be wrapped or augmented to do so if possible, and tossed if not, >remains valid. It sure does, but knowing crypto-code and knowing the projects decision making process about such things, I see neither adding that to svn nor replacing svn as feasible this side of 2020. >Removing unencrypted transport is thus IMO a net bad as it *claims* to >address this but doesn't. That's bad because you now lead people to >*believe* they have a secure means of tracking the project's bits but >that's factually false. +1 -- = Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe = Never attribute to malice what can adequately be explained by incompetence= .